ulead photo explorer is a great example of trial software and an exact example of how it shouldn't be done... anyways, it's not our problem 'coz if they want to share with us for free or almost for free we can always accept it, rite ? =) okay, let's use our mind now... first of all install software and see how it works... nothing unusual here, nag screen which informs us about trial time and nothing more... well, let's see what's inside... execute your w32dasm - I use 8.93 version - load pe42.exe and disassemble it... now, let's check out what's in 'string data references'... hmmm, nothing interesting here, what's now ??? well, save listing as project and minimize w32dasm... now double click on win clock to set date/time properties... let's move it a month or two ahead... heh, that's like travelling in time, isn't it ?! no, it's not... =P~~ now once again execute photo explorer and it'll nicely inform you that your trial period is over... let's travel back to our time and execute it again... this time it should say 'sorry! due to internal checking file damaged or system time had been changed...' yay, that's what we've been looking for ! now when it's expired there's no way out: crack it or walk away... get back to w32dasm and check out 'imports', scroll down till you find 'peabout.' library and functions we need to check 'CheckTimeLimit' and 'IsFullVersion'... double click on peabout.IsFullVersion and it'll take you to such location:
* Reference To: peabout.IsFullVersion, Ord:0002h | :0041B5DE FF15840C4600 Call dword ptr [00460C84] - it checks if it's full or trial ver. here... :0041B5E4 83C404 add esp, 00000004 - the result is returned in eax... :0041B5E7 85C0 test eax, eax - full or trial ? :0041B5E9 751B jne 0041B606 - jumps if full, skips if trial... * Reference To: peabout.CheckTimeLimit, Ord:0000h | :0041B5EB FF15800C4600 Call dword ptr [00460C80] - now it checks trial time... :0041B5F1 85C0 test eax, eax - end of trial ? :0041B5F3 7511 jne 0041B606 - no, there're some days left, run proggy... :0041B5F5 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF - apparently, there's no days left, show :0041B5FC E8CB020000 call 0041B8CC - proper message and exit :0041B601 E928FEFFFF jmp 0041B42E * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0041B5D6(C), :0041B5E9(C), :0041B5F3(C) | :0041B606 8B4DF0 mov ecx, dword ptr [ebp-10] - here is the point where program starts :0041B609 E8E2130000 call 0041C9F0 - after check...
looks pretty simple, eh ? at the first time you probably think: gotta do something with that check at :0041B5E7... well... it's a solution but... I tell you that's not the best solution... anyways, after such change your code should look like this:
* Reference To: peabout.IsFullVersion, Ord:0002h | :0041B5DE FF15840C4600 Call dword ptr [00460C84] - it checks if it's full or trial ver. here... :0041B5E4 83C404 add esp, 00000004 - the result is returned in eax... :0041B5E7 33C0 xor eax, eax - make eax = 0 always :0041B5E9 741B je 0041B606 - if eax=0 then jump...
photo explorer will run without a nag screen and it looks like full ver now but... what about ABOUT menu ? you'll see that it still says it's trial or something like that... so your crack is not 101 yet... let's see... it says: '* Reference To: peabout.IsFullVersion, Ord:0002h'... if you look inside photo explorer dir you'll find here our victim 'peabout.dll'... disassemble it and look into 'exports'... yay ! 'CheckTimeLimit' and 'IsFullVersion' are there ! double click on it and you should see that below code... let's take a look...
Exported fn(): IsFullVersion - Ord:0003h
:100010C0 83EC04 sub esp, 00000004
:100010C3 833D40B0001000 cmp dword ptr [1000B040], 00000000
:100010CA 750F jne 100010DB- in our case it jumps always here...
* Reference To: peabout.InitAboutDll
|
:100010CC E86FFFFFFF call 10001040
:100010D1 85C0 test eax, eax
:100010D3 7506 jne 100010DB
:100010D5 33C0 xor eax, eax
:100010D7 83C404 add esp, 00000004
:100010DA C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:100010CA(C), :100010D3(C)
|
* Reference To: peabout.IsPI3FullVersion
|
:100010DB E8E0030000 call 100014C0
:100010E0 A334C80010 mov dword ptr [1000C834], eax
* Reference To: peabout.IsWEGOFullVersion
|
:100010E5 E8B6010000 call 100012A0
:100010EA 8B4C2408 mov ecx, dword ptr [esp+08]
:100010EE 6A00 push 00000000
:100010F0 A330C80010 mov dword ptr [1000C830], eax
:100010F5 8D442404 lea eax, dword ptr [esp+04]
:100010F9 50 push eax
:100010FA 6A01 push 00000001
* Possible StringData Ref from Data Obj ->"SpecialBuild"
|
:100010FC 6844B00010 push 1000B044
:10001101 51 push ecx
:10001102 E8C90C0000 call 10001DD0
:10001107 83C414 add esp, 00000014
:1000110A 85C0 test eax, eax- trial / full check...
:1000110C 741D je 1000112B- jump if trial...
:1000110E 817C240014050000 cmp dword ptr [esp], 00000514- as above...
:10001116 7513 jne 1000112B
:10001118 B801000000 mov eax, 00000001- make eax=1 - full ver...
:1000111D 83C404 add esp, 00000004
:10001120 C70540C8001001000000 mov dword ptr [1000C840], 00000001
:1000112A C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000110C(C), :10001116(C)
|
:1000112B 33C0 xor eax, eax- here's our problem, it makes eax=0...
:1000112D 83C404 add esp, 00000004
:10001130 C3 ret
wow, wow, wait a minute ? you'll say... how did I find out it always jumps at :100010CA ??? well, just load your pe42 project file, from DEBUG menu choose LOAD PROCESS, when it loads click on 'Active DLLs' window and scroll down till you find peabout.dll... now double click it and choose 'yes'... go to 'IsFullVersion' start and place there break point pushing F2... now push F9 [run process] and wait a moment... it'll stop on our break point... now push F7 a few times... see now ?! so our problem equals those two 'trial / full check' functions'... simple, make such changes:
* Possible StringData Ref from Data Obj ->"SpecialBuild" | [...] :1000110A 85C0 test eax, eax :1000110C 7400 je 1000110E :1000110E 817C240014050000 cmp dword ptr [esp], 00000514 :10001116 7500 jne 10001118 [...]
trial check has been removed and now it'll always return as full ver, no need to mess with 'CheckTimeLimit' 'coz it's not used now... let's see that ABOUT menu now... in the 'exports' we've got 'ShowAboutBox' function... double click it and you should see:
Exported fn(): ShowAboutBox - Ord:0006h :100016C0 833D40C8001000 cmp dword ptr [1000C840], 00000000 :100016C7 7410 je 100016D9 :100016C9 8B442404 mov eax, dword ptr [esp+04] :100016CD 6A01 push 00000001 :100016CF 50 push eax :100016D0 E8EB140000 call 10002BC0 :100016D5 83C408 add esp, 00000008 :100016D8 C3 ret
doing the previous trick we'll find out that jump at :100016C7 is 'trial' jump... so once again make such a change:
:100016C7 7400 je 100016C9
done... to sum up... we've changed just three bytes to get full version of ulead photo explorer v4.2... not bad but sometimes it's just a matter of one byte... so... till the next crack... ah, by the way, if you enjoyed this tutorial or you think it just plainly sucks just let us know... we gotta know what to do or what not to do next...
signed:
emotion thirteen